AhnLab’s July 2025 APT trend report highlights multiple North Korea-linked intrusion patterns, including Kimsuky ClickFix activity against South Korean diplomacy, security, international politics, defense, portal, research, and expert targets. The Kimsuky section describes spear-phishing through impersonated journalists, government aides, police investigators, interview requests, meeting invitations, malicious links, HWP/OLE content, VBS and LNK execution, reversed PowerShell obfuscation, scheduled-task persistence, C2 communication, keylogging, and information collection. Another Kimsuky case used a fake Bandizip installer to deploy the VMProtect-protected HappyDoor backdoor, with mshta, regsvr32, PowerShell, VBScript, registry and ADS hiding, document collection, screenshots, audio capture, removable-drive searches, and remote-control capability. The Lazarus section describes a deceptive job-interview and fake NVIDIA-update chain that led users to run commands, execute VBS and obfuscated Python payloads, steal browser and email credentials with NirSoft tools, install MeshAgent, persist via scheduled tasks, and collect cryptocurrency-related data. The report is useful because it consolidates DPRK-linked social-engineering tradecraft across ClickFix, software-impersonation, and recruitment-themed infection chains.